Security Bulletins – April 2008

We’ve just released two security bulletins – first and foremost, there’s a Flash Player update announced in APSB08-11 that provides solutions for previously disclosed vulnerabilities (including the PWN2OWN Contest issue reported by Shane Macaulay) in Flash Player version 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This is the update we’ve referred to in a couple of earlier posts. These potential vulnerabilities could allow someone who successfully exploits them to take control of the affected system, so we recommend users update to the latest version of Flash Player (ideally 9.0.124.0) available for their operating system by downloading it from the Player Download Center.
There are also security enhancements that provide further mitigations for the previously disclosed DNS Rebinding (CVE-2007-5275), cross-domain policy file (CVE-2007-6243), and port-scanning (CVE-2007-4324) issues listed in Security Bulletin APSB07-20 (originally posted on December 18, 2007) and the cross-site scripting issues (CVE-2007-6637) listed in Security Advisory APSA07-06 (originally posted on December 23, 2007). Per our previous guidance about these potential issues, it’s recommended that content developers review this Adobe Developer Center article to determine if the security enhancements may affect their content, and begin implementing any necessary changes.
We’d like to thank all the researchers who reported the issues covered by this update – all the details are in the ‘Acknowledgments’ section, but we’d like to emphasize that we really appreciate the cooperation and help.
We also released a Security Bulletin for ColdFusion, APSB08-12 that resolves a pretty basic bug in the remoting-config.xml file that controls the access level to CFC methods for Flex 2 Remoting.
*This posting is provided “AS IS” with no warranties, and confers no rights.*

Comments are closed.